On November 8, the Spanish data protection authority (AEPD) published new Guidelines on the Use of Cookies (Guidelines) (Spanish only). The Guidelines have been prepared in collaboration with different organisations in the marketing and online advertising industries (e.g., Adigital, Iab Spain, etc.), and aim to provide some direction on the use of cookies and similar technologies (e.g., local shared objects or flash cookies, web beacons or bugs, fingerprinting techniques, etc.) in compliance with information society services laws and regulations.
Below are highlights of important elements from the Guidelines:
- Cookies and personal data protection. The Guidelines start by calling out that compliance with additional GDPR provisions (and ancillary local regulations) is required when cookies are used to process personal data. Note that the Guideline’s definition of personal data also includes data processing when “unique identifiers are used that allow for the differentiation of certain users from the others, and to track them individually (for example, an advertising ID).” (Unofficial translation.) This consideration is particularly important for online business activities.
- Types of cookies:
- Cookies excepted from compliance obligations. The Guidelines outline what cookies are excepted from the scope of application of the Spanish Information Society Services and E-commerce Act. These are mainly cookies that are required for the services requested by the user to operate, and technical cookies allowing the communication between users’ terminals and networks. These are the cookies that do not trigger the information duties or the obligation to obtain the user’s consent. That said, and for transparency purposes, the AEPD recommends informing users about the use of these cookies “at least in general terms.”
- Categories of cookies. For illustrative purposes, the Guidelines provide factors for categorizing cookies depending on:
- Who manages the cookies (proprietary or third party cookies);
- Purpose (technical, customization, analytical, and behavioural advertising cookies); and
- Duration (session or persistent cookies).
- Notice and Choice:
- Information duties. The Guidelines indicate the minimum information that must be provided to users about cookies (including a great number of examples). Where information on cookies is not fully displayed to users on a Cookie Policy (which is less user friendly), webmasters can divide the information to be displayed into two layers, with the second layer intended to provide more information to users.
- Consent. The Guidelines accept the “by browsing the website you accept the use of cookies” mechanism. The Guidelines clearly indicate that users can grant their consent to the use of cookies by continuing browsing of a website after adequate notice has been given. Up until now, AEPD’s expectation for consent was unclear. The Guidelines state:
“For the action of continuing browsing to be deemed a valid consent, the information notice must be displayed in a clearly visible place, so that due to its shape, colour, size or location, it can be secured that the notice has not gone unnoticed to the user. Additionally, it will be necessary, for the consent to be deemed granted, that the user performs an action that can be qualified as a clear affirmative action. For instance, a clear affirmative action may be considered to browse to a different section of the website (other than the second layer of information on cookies or the privacy policy), to slide the scroll bar, closing the first layer notice or clicking on any content of the service. The mere fact of viewing the screen, moving the mouse or pressing the keyboard cannot be considered an acceptance.” (Emphasis added; unofficial translation.)
The AEPD provides the following examples of actions that could be considered a valid consent / affirmative action (where the due information has been provided to users):
- The use of the scroll bar, insofar as the information on cookies is visible without using it.
- Clicking on any link contained in the site other than those in the second layer of information on cookies or the privacy policy link.
- On devices such as mobile phones or tablets, by swiping the initial screen and accessing the content.
The Guidelines also analyse (i) different ways of obtaining consent (including consent management platforms); (ii) Minors’ consent; and (iii) the possibility of not granting access to the website / services where consent to the use of cookies has not been granted (where information duties have been duly complied with).
Note that the AEPD considers that consent must be renewed and updated, at least, every 24 months.
- Transparency. The Guidelines emphasize the importance of using plain language and rejects the use of misleading or ambiguous expressions such as “we may use cookies to improve the browsing in the website.”
The only thing remaining now is to wait and see how strict the AEPD will be when “enforcing” the criteria described in the Guidelines, and for companies to continue working on their apps, websites, etc., to adapt to them.
Authored by Santiago de Ampuero